Privacy, Human Rights, Law, The Internet, Politics and more

The story of Google’s AI subsidiary DeepMind took a not-unexpected turn this week when the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to DeepMind. This is the latest step in a saga that looks set to rumble on for some time – and one from which there are many, many lessons to be learned. One of those – sadly one that does not seem likely to be heeded as much as it should be – is that those involved in projects like this should pay more attention to those who can loosely be described as ‘privacy geeks’.

Two in particular have been critically involved in this process – Hal Hodson (@halhod) and Julia Powles (@juliapowles). Hal started the ball rolling with a serious piece of investigative journalism in New Scientist in April 2016, which brought the issue to light, and as well as further journalistic work Hal and Julia wrote a piece of ‘proper’ academic work – ‘Google DeepMind and healthcare in an age of algorithms’ in the journal Healthcare and Technology. This led, ultimately, to the ICO’s investigation and ruling – though it has to be noted that the ICO’s ruling is on DeepMind’s trial with the Royal Free: the real test will be when DeepMind’s work rolls out. The ICO has asked the Royal Free, amongst other things, to do a full ‘privacy impact assessment’ prior to further work. That they did not do so prior to the previous trial is one of the serious shortcomings of the project. As Julia Powles put it in the Guardian yesterday:

“The ruling states that by transferring this data and using it for app testing, the Royal Free breached four data protection principles, as well as patient confidentiality under the common law. The transfer was not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it and their information rights weren’t available to them.”

In all these cases, the warning signs were there, if only the people involved had been willing to listen. The same will happen again – because the privacy geeks know what they’re doing. All too often those involved in these kinds of projects – people from businesses and from big public sector organisations – see those who raise concerns as either easily-dismissed tinfoil-hat-wearing consipiracy theorists, or as people who can cause a little trouble on Twitter but little more than that. Nothing to be taken seriously, little more than an annoyance. More, they’re seen as barriers to innovation, people just raising trouble for its own sake, luddites or worse.

None of this is true. Firstly, the people involved – whether they’re journalists, academics or ‘activists’ (and often they wear more than one of those hats) are often genuine experts. Hal Hodson’s degree from Trinity College Dublin is in Astrophysics, for example, whilst Julia Powles has a PhD in Law from Cambridge. Their concerns aren’t foolish, the issues they raise aren’t just for the sake of it.

Secondly, they know how to use the media – both the social media and the ‘traditional’ media. Hal’s original work was in the New Scientist, and he’s now The Economist’s Technology Correspondent. Julia writes regularly for the Guardian. Both know people all over the media and academia – and they’re far from alone. The failure of care.data and Samaritans Radar involved different people (there are many of us) but similar patterns – blogs, articles in the mainstream media, academic attention and more.

Thirdly, and perhaps most importantly, the people involved are far from a barrier to innovation. I have labelled them (and I’m very much one of them!) ‘geeks’ for a reason. We’re not geeks only about privacy – we’re real geeks. We like technology, we like innovation. We play with all the new technological toys, and see the potential in all kinds of directions – but we want these innovations to work for the people, to work responsibly, to be sustainable. Indeed, this last point is critical – it is a central tenet of much of my own academic work that if privacy is not considered properly, it is not just that a project should fail, but that it will fail. People will reject it – who now remembers the wonderful Google Glass, for example? Despite the sexy technology and the backing of Google’s deep pockets it died a death. It may well re-emerge at some point, but it need not have failed…

…and the same is true of many other projects. There are some great ideas, great innovations, that could avoid suffering the fate of Samaritans Radar, care.data and Google Glass. If they are to do so, the people involved should start listening to the privacy geeks, and sooner rather than later. Don’t see us as the enemy. Don’t try to hide what you do – it is very tempting to do everything you can ‘under the radar’, but when it is revealed it looks even worse. That was true of DeepMind’s deal with the Royal Free – and was just as true about Phorm’s ‘secret trials’ with BT and others back in 2006. One thing that people really should have learned is that these things do get discovered, one way or another. When they do, and it looks as though they’ve been done secretly or without proper scrutiny, they look even worse than they are.

It can all be avoided – but it rarely is. Sadly I expect to have to write similar pieces to this many times in the future.

He had always known he would be. A Prodigious Talent like his could not be held down for long. He knew that even Little Miss Maybot would recognise that eventually, and she was generally almost completely unaware of anything going on around her at all. In her Hour of Need, Mr Gove knew she would come to him. And she did.

So he was Back.

Of course if he had been in charge instead of Little Miss Maybot, they would never have been in the pickle they were now. Mr Gove would never have let that awful Mr Corbyn get nearly so close – because Mr Gove had a Winning Personality and Endless Charm, unlike Little Miss Maybot. Now, that Winning Personality and Endless Charm would be brought to bear.

And everything would be better from now on.

Mr Gove had been a little worried that it would take a bit longer to return.

Some people had not really understood that his decision to throw Mr Blowhard under a bus – and not even a bus with ‘£350m a week to the EU’ painted on the side – had actually shown that Mr Gove was loyal, trustworthy and a Good Friend. Still that was the past, and in the end they would realise how wrong they were.

At least Little Miss Maybot had begun to realise that she – and the country – needed Mr Gove. And she did. By Golly she did. Without him, the Tory Party had lost its way. It would be up to Mr Gove to save it, and to save the country.

And he could do it. He knew he could.

Little Miss Maybot had not been perceptive enough to give him one of the jobs he really deserved, but at least she had given him a job he was well suited for.

Of course he wasn’t an expert in Farming or the Environment – but everyone knew that Britain had had Enough of Experts. Mr Gove did, however, know more about Farming and the Environment than he had about education – after all, he had visited a farm a couple of times when he was ten, and once been for a ramble in the Cotswolds – and his time as the Secretary of State for Education had been an Absolute Triumph. Everyone knew that.

And being in charge of the Environment was great too. At least there wasn’t any of that awkward ‘science’ stuff involved – the stuff that had caused him so much trouble when he was in education. Everyone knew that the environment wasn’t anything to do with science. All that lefty ‘climate change’ rubbish could be quickly shelved – and quite right too!

And now that his other Great Triumph had come to pass – Brexit – he had plenty more Good News to tell the farmers.

They would be so happy, he was sure, that Brexit had relieved them of all those terrible subsidies that were plaguing them with paperwork and money. Farmers were like that. Strong. Independent. They didn’t like getting money from those faceless Eurocrats.

And they’d be delighted to contribute more to the Europeans when the tariffs started to kick in.

And absolutely ecstatic that they no longer had to use any of those young, healthy and hardworking European labourers that they’d been using for the last few years. Things would be much better when they’d replaced them with British workers.

Oh yes.

Mr Gove smiled to himself when he thought about it. Everyone was going to be happy with Mr Gove. And the world would be right again.

My own particular ‘lefty-Labour-Twitter-Bubble’ has been enjoying itself in the aftermath of the surprisingly non-depressing election result. I mean, who could possibly not have enjoyed the humiliation of Theresa May?

The analyses of Labour’s performance has been a little less straightforward – which is not surprising given the seemingly enormous divide amongst the people I follow, which include strong Corbyn fans and equally strong Corbyn enemies. Most have been able to simply enjoy the result, but there have been two other analyses offered, both on that Labour could and perhaps should have done even better (more of which later).

Firstly, from the pro-Corbyn people, if only the Blairites hadn’t been undermining Corbyn for the last two years, Labour could have won.

Secondly, from the anti-Corbyn people, if only Labour had had a decent leader, Labour would have won.

Both these arguments have two clear virtues: they’re entirely unprovable and they totally vindicate the positions that had been taken by those advocating them for the last few years. I have more sympathy for the first argument than the second, but neither, for me, is very helpful. The past has happened – the sniping (and worse) happened. And the idea that this result leaves open the possibility of ousting Corbyn is as much a denial of reality as Theresa May claiming it’s given her a resounding mandate. Corbyn will be leading Labour for quite some time!

The key now is to think about what happens next. This is a massive opportunity for unity – and MPs (and commentators) could and should swallow their pride and acknowledge Corbyn’s success. Yes, Theresa May inflicted a lot of wounds on herself, but that’s not the whole story. And don’t forget that this election was set up by May, for May, for the maximum disadvantage for Corbyn. Labour was rock-bottom in the polls, riven by division, caught unprepared, faced by a massively hostile media – and still put together a fine manifesto and a coherent and principled campaign. There were hiccups and messes – there always are – but relatively few. The enthusiasm and positivity- and the competence overcame them.

It would be great to see Labour take this chance to unite. For apologies and acknowledgement rather than point-scoring and revenge.

I for one was quite wrong about how this campaign would go. I’ll happily admit it, and that I was wrong about a whole load of details as well as the big picture. Sometimes it’s great to have been wrong.

The Conservative Manifesto, unlike the Labour Manifesto, has some quite detailed proposals for digital policy – and in particular for the internet. Sadly, however, though there are a few bright spots, the major proposals are deeply disturbing and will send shivers down the spine of anyone interested in internet freedom.

Their idea of a ‘digital charter’ is safe, bland, motherhood and apple-pie stuff about safely and security online, with all the appropriate buzzwords of prosperity and growth. It seems a surprise, indeed, that they haven’t talked about having a ‘strong and stable internet’. They want Britain to be the best place to start and run a digital business, and to make Britain the safest place in the world to be online. Don’t we all?

When the detail comes in, some of it sounds very familiar to people who know what the law already says – and in particular what EU law already says – the eIDAS, the E-Commerce Directive, the Directive on Consumer Rights already say much of what the Tory Manifesto says. Then, moving onto data protection, it gets even more familiar:

“We will give people new rights to ensure they are in control of their own data, including the ability to require major social media platforms to delete information held about them at the age of 18, the ability to access and export personal data, and an expectation that personal data held should be stored in a secure way.”

This is all from the General Data Protection Regulation (GDPR), passed in 2016, and due to come into force in 2018. Effectively, the Tories are trying to take credit for a piece of EU law – or they’re committing (as they’ve almost done before) to keeping compliant with that law after we’ve left the EU. That will be problematic, given that our surveillance law may make compliance impossible, but that’s for another time…

“…we will institute an expert Data Use and Ethics Commission to advise regulators and parliament on the nature of data use and how best to prevent its abuse.”

This is quite interesting – though notable that the word ‘privacy’ is conspicuous by its absence. It is, perhaps, the only genuinely positive thing in the Tory manifesto as it relates to the internet.

“We will make sure that our public services, businesses, charities and individual users are protected from cyber risks.”

Of course you will. The Investigatory Powers Act, however, does the opposite, as does the continued rhetoric against encryption. The NHS cyber attack, it must be remembered, was performed using a tool developed by GCHQ’s partners in the NSA. If the Tories really want to protect public services, businesses, charities and individuals, they need to change tack on this completely, and start promoting and supporting good practice and good, secure technology. Instead, they again double-down in the fight against encryption (and thus against security):

“….we do not believe that there should be a safe space for terrorists to communicate online and will work to prevent them from having this capability.”

…but as anyone with any understanding of technology knows, if you stop terrorists communicating safely, you stop all of us from communicating safely.

Next:

“…we also need to take steps to protect the reliability and objectivity of information that is essential to our democracy and a free and independent press.”

This presumably means some kind of measures against ‘fake news’. Most proposed measures elsewhere in the world are likely to amount to censorship – and given what else is in the manifesto (see below) I think that is the only reasonable conclusion here.

“We will ensure content creators are appropriately rewarded for the content they make available online.”

This looks as though it almost certainly means harsher and more intense copyright enforcement. That, again, is only to be expected.

Then, on internet safety, they say:

“…we must take steps to protect the vulnerable… …online rules should reflect those that govern our lives offline…”

Yes, We already do.

“We will put a responsibility on industry not to direct users – even unintentionally – to hate speech, pornography, or other sources of harm”

Note that this says ‘pornography’, not ‘illegal pornography’, and the ‘unintentionally’ part begins the more disturbing part of the manifesto. Intermediaries seem likely to be stripped of much of their ‘mere conduit’ protection – and be required to monitor much more closely what happens through their systems. This, in general, has two effects: to encourage surveillance, and to encourage caution about content (effectively to chill speech). This needs to be watched very carefully indeed.

“…we will establish a regulatory framework in law to underpin our digital charter and to ensure that digital companies, social media platforms and content providers abide by these principles. We will introduce a sanctions regime to ensure compliance, giving regulators the ability to fine or prosecute those companies that fail in their legal duties, and to order the removal of content where it clearly breaches UK law.”

This is the most worrying part of the whole piece. Essentially it looks like a clampdown on the social media – and, to all intents and purposes, the establishment of a full-scale internet censorship system (see the ‘fake news’ point above). Where the Tories are refusing to implement statutory regulation for the press (the abandonment of part 2 of Leveson is mentioned specifically in the manifesto, along with the repeal of Section 40 of the Crime and Courts Act 2013, which was one of the few bits of Leveson part 1 that was implemented) they look very much as though they want to impose it upon the online media. The Daily Mail will have more freedom than blogging platforms, Facebook and Twitter – and you can draw your own conclusions from that.

When this is all combined with the Investigatory Powers Act, it looks very much like a solid clampdown on internet freedom. Surveillance has been enabled – this will strengthen the second part of the authoritarian pincer movement, the censorship side. Privacy has been wounded, now it’s the turn of freedom of expression to be attacked. I can see how this will be attractive to some – and will go down very well indeed with both the proprietors and the readers of the Daily Mail – but anyone interested in internet freedom should be very much disturbed.

I just spent a very interesting day at ‘Project Breach’ – an initiative of Norfolk and Suffolk police, trying to encourage businesses and others to understand and protect themselves from cybercrime. It was informative in many ways, and primarily (as far as I could tell) intended to be both a pragmatic workshop, giving real advice, and to ‘change the narrative’ over cybercrime. In both ways, I think it worked – the advice, in particular, seemed eminently sensible.

What was particularly interesting, however, was how that advice was in most ways in direct tension with the government’s approach to surveillance, as manifested most directly in the Investigatory Powers Act 2016 – often labelled the ‘Snooper’s Charter’.

The speaker – Paul Maskall – spent much of the first session outlining the risks associated with your ‘digital footprint’. How your search history could reveal things about you. How your ‘meta data’ could say more about you than the content of your postings. How your browsing history could put you at risk of all kinds of scams and so forth. And yet all of this is made more vulnerable by the Investigatory Powers Act. Search histories and metadata could be forced to be retained by service providers. ‘Internet Connection Records’ could be used to create a record of your browsing – and all of this could then be vulnerable to the many forms of hacking etc that Maskall then went on to detail. The Investigatory Powers Act makes you more vulnerable to scams and other crimes.

The keys to the next two sessions were how to protect yourself – and two central pillars were encryption and VPNs. Maskall emphasised again and again the importance of encryption – and yet this is what Amber Rudd railed against only a few weeks ago, trying to link it to the Westminster attack, though subsequent evidence proved yet again that this was a red herring at best. The Investigatory Powers Act adds to the old Regulation of Investigatory Powers Act (RIPA) in the way it could allow encryption to be undermined…. which again puts us all at risk. When I raised this issue, first on Twitter and then in the room, Maskall agreed with me – encryption is critical to all of us, and attempts to undermine it put us all at risk – but I was challenged, privately, by another delegate in the room, after the session was over. Amber Rudd, this delegate told me, wasn’t talking about undermining encryption for us, but only for ISIS and Al Qaeda. I was very wrong, he told me, to put the speaker on the spot about this subject. All that showed me was how sadly effective the narrative presented by Amber Rudd, and Theresa May before her, as well as others in what might loosely be called the ‘security lobby’ has been. You can’t undermine encryption for ISIS without undermining it for all of us. You can’t allow backdoors for the security services without providing backdoors for criminals, enemy states and terrorists.

VPNs were the other key tool mentioned by the speaker – and quite rightly. Though they have not been directly acted against by the Investigatory Powers Act, they do (or might) act against the main new concept introduced by the Act, the Internet Connection Record. Further, VPN operators might also be subjected to the attention of the authorities, and asked to provide browsing histories themselves – though the good ones don’t even retain those histories, which will cause a conflict in itself. Quite now the authorities will deal with the extensive use of VPNs has yet to be seen – but if they frustrate the intentions of the act, we can expect something to be done. The overall point, however, remains. For good security – and privacy – we need to go against the intentions of the act.

The other way to put that is that the act goes directly against good practice in security and privacy. It undermines, rather than supports security. This is something that many within the field understand – including, from his comments to me after the event, the speaker at Project Breach. It is sad that this should be the case. A robust, secure and privacy-friendly internet helps us all. Even though it might go against their instincts, governments really should recognise that.

As is sadly all too common after an act of terrorism, freedom on the internet is also under attack – and almost entirely for spurious reasons. This is not, of course anything new. As the late and much lamented Douglas Adams, who died back in 2001 put it:

“I don’t think anybody would argue now that the Internet isn’t becoming a major factor in our lives. However, it’s very new to us. Newsreaders still feel it is worth a special and rather worrying mention if, for instance, a crime was planned by people ‘over the Internet’.”

The headlines in the aftermath of the Westminster attack were therefore far from unpredictable – though a little more extreme than most. The Daily Mail had:

“Google, the terrorists’ friend”

…and the Times noted that:

“Police search secret texts of terrorist”

…while the Telegraph suggested that:

“Google threatened with web terror law”

The implications are direct: the net is a tool for terrorists, and we need to bring in tough laws to get it under control.

And yet this all misses the key point – the implication of Douglas Adams’ quote. Terrorists use the internet to communicate and to plan because we all use the internet to communicate and plan. Terrorists use the internet to access information because we all use the internet to access information. The internet is a communicative tool, so of course they’ll use it – and as it develops and becomes better at all these things, we’ll all be able to use it in this way. And this applies to all the tools on the net. Yes, terrorists will use Google. Yes, they’ll use Facebook too. And Twitter. And WhatsApp. Why? Because they’re useful tools, systems, platforms, whatever you want to call them – and because they’re what we all use. Just as we use hire cars and kitchen knives.

Useful tools…

That’s the real point. The internet is something we all use – and it’s immensely useful. Yes, Google is a really good way to find out information – that’s why we all use it. The Mail seems shocked by this – not that it’s particularly difficult to know how a car might be used to drive somewhere and to crash into people. It’s not specifically the ‘terrorists’ friend, but a useful tool for all of us.

The same is true about WhatsApp – and indeed other forms of communication. Yes, they can be used by ‘bad guys’, and in ways that are bad – but they are also excellent tools for the rest of us. If you do something to ban ‘secret texts’ (effectively by undermining encryption), then actually you’re banning private and confidential communications – both of which are crucial for pretty much all of us.

The same is true of privacy itself. We all need it. Undermining it – for example by building in backdoors to services like WhatsApp – undermines us all. Further, calls for mass surveillance damage us all – and attacks like that at Westminster absolutely do not help build the case for more of it. Precisely the opposite. To the surprise of no-one who works in privacy, it turns out that the attacker was already known to the authorities – so did not need to be found by mass surveillance. The same has been true of the perpetrators of all the major terrorist attacks in the West in recent years. The murderers of Lee Rigby. The Boston Bombers. The Charlie Hebdo shooters. The Sydney siege perpetrators. The Bataclan killers. None of these attacks needed identifying through mass surveillance. At a time when resources are short, to spend time, money, effort and expertise on mass surveillance rather than improving targeted intelligence, putting more human intelligence into place – more police, more investigators rather than more millions into the hands of IT contractors – is hard to defend.

More responsible journalism…

What is also hard to defend is the kind of journalism that produces headlines like that in the mail, or indeed in the Times. Journalists should know better. They should know all too well the importance of privacy and confidentiality – they know when they need to protect their own sources, and get rightfully up in arms when the police monitor their communications and endanger their sources. They should know that ‘blocking terror websites’ is a short step away from political censorship, and potentially highly damaging to freedom of expression – and freedom of the press in particular.

They should know that they’re scaremongering or distracting with their stories, their headlines and their ‘angles’. At a time when good, responsible journalism is needed more than ever – to counter the ‘fake news’ phenomenon amongst other things, and to keep people informed at a time of political turmoil all over the world – this kind of an approach is deeply disappointing.